Two UC Santa Cruz students found a major security flaw in CSC ServiceWorks laundry machines.
Over a million internet-connected laundry machines in homes, hotels, and colleges worldwide are affected by the bug, which allows people to run them for free.
The students who discovered it, Alexander Sherbrooke and Iakov Taranenko, reported it earlier this year. Despite their attempts, CSC ServiceWorks has not fixed the vulnerability, leaving the system vulnerable.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
A ‘Eureka’ Moment in the Basement
The finding occurred in early January, when Sherbrooke was seated on the floor of his basement laundry room with his laptop.
He started a laundry cycle without finances by running a script.
The machine replied instantly, ready to wash a free load of clothing.
The students showed the weakness by establishing a fictional balance of several million dollars to one of their laundry accounts, which seemed normal in the CSC Go mobile app.
Techcrunch findings, this discovery exposes a serious flaw in CSC’s mobile app’s API, which allows apps and devices to communicate online.
Lack of Response from CSC ServiceWorks
After several phone calls and online contact form messages, CSC ignored the kids’ complaints.
They also contacted Carnegie Mellon University’s CERT Coordination Centre, which helps vendors report security issues.
The students waited over three months to release their findings, thinking CSC would fix it.
Unpatched vulnerability continues. This month, the researchers presented their findings at their university cybersecurity club, highlighting the risks of connecting heavy appliances to the internet and vulnerable to attacks.
Technology vendors like CSC must perform security checks, Sherbrooke and Taranenko said.
The app on the user’s mobile performs security checks that CSC’s servers automatically trust, therefore they found that they could mislead CSC servers into approving account balance changes.
Future risks and implications
According to the researchers, this vulnerability could lead to overheating and fires if safety limitations are ignored.
The laundry machine’s start button must be pressed to start a cycle, although settings can be changed remotely.
The flaw remained unfixed as CSC ServiceWorks discreetly deleted the researchers’ false account balance after they reported their findings.
Taranenko wondered how a large organization could make such mistakes and not offer a means to report security risks.
Despite the silence, students continue their investigation.
Taranenko stressed the relevance of real-world security research by offering to aid firms with security concerns.
Since the vulnerability remains open, the researchers hope CSC ServiceWorks will take immediate action to safeguard its systems and prevent exploitation.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers